Update boot options

2025-06-29 21:30:42 +00:00 · 2024-04-12 20:49:49 +02:00 · 2024-04-12 20:49:49 +02:00 · e89b387e72
commit e89b387e72
parent cb968bdc07
12 changed files with 143 additions and 21 deletions
--- a/options/system/boot/default.nix
+++ b/options/system/boot/default.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ...}: let
+  inherit (lib) mkOption mkEnableOption literalExpression;
+
+  cfg = config.myOptions.system.boot;
+in {
+  imports = [
+    ./secure-boot.nix
+  ];
+
+  options.myOptions.system.boot = {
+    kernel = mkOption {
+      type = with lib.types; nullOr raw;
+      default = pkgs.linuxPackages_latest;
+      example = literalExpression "pkgs.linuxPackages_latest";
+      description = "The kernel to use for the system.";
+    };
+
+    tmpOnTmpfs =
+      mkEnableOption ''
+        `/tmp` living on tmpfs. false means it will be cleared manually on each reboot
+
+        This option defaults to `true` if the host provides patches to the kernel package in
+        `boot.kernelPatches`
+      '';
+  };
+}
--- a/options/system/boot/secure-boot.nix
+++ b/options/system/boot/secure-boot.nix
@ -0,0 +1,23 @@
+{ lib, ... }: with lib; let
+  inherit (lib) mkEnableOption;
+in
+{
+  options.myOptions.system.boot.secure-boot = {
+     enable = mkEnableOption ''
+      secure-boot using lanzaboote.
+
+      Note that you will need to have UEFI firmware, and the rebuild
+      will report errors until you generate the secure boot keys with:
+      ```shell
+      sudo sbctl create-keys
+      ````
+
+      Optionally (though enabling this is pointless otherwise), you should
+      now enter secure-boot setup mode and enroll the keys:
+      ```shell
+      sudo sbctl enroll-keys -m
+      ```
+      Then reboot, and secure-boot should be enabled.
+     '';
+  };
+}